Security Warning prompt

Suggestions and feature requests for the Pale Moon browser

Moderator: satrow

User avatar
Apollo supporter
Apollo supporter
Posts: 30
Joined: 2018-05-17, 02:34

Security Warning prompt

Unread post by RealityRipple » 2018-07-14, 02:20

I'm sure everyone has seen this message a number of times, particularly on websites that do a rush job of making their site HTTPS. Its purpose is to warn that HTTP is being used for POST from a HTTPS page, and its a very important job. However, I've noticed that it can also occur under other circumstances. In particular, I use a form with the method set to "GET", the enctype set to "text/plain", and the action set to a cryptocurrency protocol, such as "zcash:". My question is, is it the expected behavior for this prompt to show up regardless of conditions if HTTPS becomes any other protocol, or is it supposed to only get in the way of HTTP (and maybe possibly FTP)? I'm also not sure that a GET request is as dangerous as a POST request in practice, as no good web developer would use a GET request to send private information to begin with. Perhaps some more explicit code could be used to only show the prompt if it's over POST and/or if it's a transition from HTTPS to HTTP (+ FTP?) exclusively? I can see instances where POSTing to other protocols might be better off with the prompt, but chances are that GETting to another protocol is not the kind of event this message was designed to warn about. I guess it comes down to whether you want to prioritize user experience or user safety. In either case, it'd be nice if there was a way to say that certain protocols are either secure or local, and to treat secure and local protocols as though they're on the same grounds as HTTPS, and thus show no prompt.